The following versions of VictoriaMetrics receive regular security fixes:

See this page for more details.

Every VictoriaMetrics container{{% available_from "#" %}} image published to Docker Hub and Quay.io includes an SPDX SBOM attestation generated automatically by BuildKit during docker buildx build.

To inspect the SBOM for an image:

docker buildx imagetools inspect \
  docker.io/victoriametrics/victoria-metrics:latest \
  --format "{{ json .SBOM }}"

To scan an image using its SBOM attestation with Trivy:

trivy image --sbom-sources oci \
  docker.io/victoriametrics/victoria-metrics:latest

Please report any security issues to security@victoriametrics.com